Getting valid cookie consent as part of ensuring compliance in the collection of data
Per FriesHead of Legal
Marketing and advertising technologies can be a powerful tool enabling you to leverage the true value of your data. We’ve previously explored the use of different types of user identifiers, including cookie identifiers. This blog post will consider some of the legal aspects of cookies and relevant case law developments in the EU, including how to collect appropriate consent for their use.
FIRST: A checklist
ASKING FOR CONSENT
Are these consent requests separated?
- Do you give the option to consent to each type of cookie based on their purposes (i.e. the user is given the option to choose which cookies to consent to. For example, a user is able to choose to accept e.g. functional cookies and decline social media cookies)?
Do you inform users about:
- The purpose of the cookies (should be included already in the cookie banner)
- The duration of cookies
- How the user can revoke consent
- The third parties that may have access to the cookie information (e.g. Google or Facebook)
Is this information clear and comprehensive? It should be written in a language appropriate for the target audience.
Are the means of consent explicit? This requires affirmative action, NOT through the use of pre-ticked boxes.
Do you provide functionalities to revoke or change consent settings?
Does your consent system stop cookies from being set until consent is obtained?
USING PERSONAL DATA
Do you inform the users about the processing of personal data collected by the cookies in accordance with the information requirements in the GDPR?
Is this information prominent and easily accessible (e.g. in your cookie and/or privacy notice)?
Do you maintain records of consent given by end-users?
THIRD PARTIES’ USE OF PERSONAL DATA
Is this information prominent and easily accessible?
Cookies and similar technologies (e.g. web beacons or tags) are regulated by two main legal instruments:
- The General Data Protection Regulation (‘GDPR’) which applies to all personal data processed
In practice, placing cookies or similar technologies are regulated by the ePrivacy Directive, but the personal data collected by them may serve to identify individuals and therefore falls under the GDPR. Also, the consent to cookies must fulfill the requirements for valid consent under the GDPR. This means that direct marketing practices must be entirely compliant with both.
Importantly, the European Data Protection Board has confirmed that the Directive will take precedence over general provisions of the GDPR in cases where it particularises the rules set out in the GDPR. For example, the Directive specifically requires prior consent for the collection of data via the setting of cookies, so the other, more general, legal grounds for processing in the GDPR cannot be relied on.
If consent is required, what is consent?
Before setting any cookies on a website and collecting any data from a user’s device, consent must be obtained. Pursuant to the GDPR, this consent must be freely given, specific, informed and unambiguous in order to be valid.
- Freely given. This excludes any cases where the end-user is forced into giving consent (such as “cookie walls”).
- Specific. This requires consent to be given for each type of cookie-based on their specific purpose, so social media cookies need to be consented to separately from e.g. functional cookies.
- Informed. The end-user must be made aware of what they are consenting to, and certain specific information must be given.
- Unambiguous. This requires clear affirmative action, so pre-ticked boxes are not considered valid.
What cookies require consent?
The ePrivacy Directive doesn’t require consent for so-called “strictly necessary cookies”, those that are generally set solely to ensure the functioning of the website. These may for example include cookies aimed at authentication, cookies that store the contents of a shopping basket, or cookies that allow paying websites to limit free access to their content to a certain quantity and/or for a certain limited time period. Otherwise, any other types of cookies that are not strictly necessary require consent.
What is “freely given” consent?
Other considerations such as cookie walls which block a visitor’s access to a website unless they consent have not as yet been interpreted by case law. However, we believe that in most cases this would not be considered freely given consent, and therefore not allowed, since a cookie wall more or less forces the user to accept cookies in order to use the website.
By the same token, consent is not considered freely given and valid if the user cannot modify their choices at any time, and withdraw their consent to the setting of cookies. It must be as easy to withdraw consent as it is to give consent, so such settings should be easily accessible and available at all times throughout the user’s browsing. A lot of websites only address this by referring users to their browser settings. However, the Spanish Data Protection Authority recently fined a company that did this, so it may no longer be considered sufficient to be compliant. Instead, a consent mechanism allowing users to modify their settings directly on the webpage may be preferred and thus strongly recommended.
How specific should it be?
Consent should be obtained separately for each type of cookie which follows a specific purpose. This requires distinguishing, for example, between cookies for social media, performance/analytics, and tracking. The user must be given the option to consent to each category/purpose individually by ticking separate boxes. At the moment, certain supervisory authorities have confirmed that this is sufficient, and that consent per each individual cookie is not strictly required.
What information should be given?
What does affirmative action mean?
Is the end of cookies near?
Supervisory authorities appear to be tightening down on cookies and appropriate consent mechanisms, both following complaints and on their own initiative, meaning that it is all the more important to implement proper compliant consent flows. In addition to this, increased privacy concerns may mean that the future holds something very different for cookies. An example of this is Intelligent Tracking Prevention (ITP), implemented by Apple, which initially aimed to block third-party cookies from collecting cross-site browsing data for ad targeting purposes. Its most recent update, ITP 2.2, has been developed to deprecate certain first party client-side cookies after 24 hours, becoming increasingly privacy enhancing. Other browsers such as Firefox and Chrome are also taking action in this area. This presents challenges for the future of data collection for digital marketing purposes.
To summarise, the following points are worth paying attention to:
- Be proactive: ensuring compliance with applicable legislation is crucial, so staying up to date with any developments is essential.
- Be informed: companies should be diligent and should for example know what data are being processed or which cookies are being placed on their websites or apps. You should also be aware of any applicable policies on platforms used in digital marketing. Compliance with these is important in order to keep using such tools in accordance with their terms and conditions.
- Use a consent mechanism that ensures a compliant consent flow for cookies. Remember that:
- Consent must be opt-in: pre-checked boxes are not valid
- Consent should be granular, meaning that end users should at least consent to each type of cookies based on their purpose
- Consents must be recorded
- It should be as easy to withdraw consent as it is to give it. End users should be able to modify their consent settings easily, and at all times, directly on your website or app
Be transparent as part of your compliance: make sure your policies, notices and cookie prompts are appropriate and up to date. They should:
- be clearly written and accessible to the target audience
- reference the correct applicable legislation and supervisory authority
- be specific and adapted to your activities
- provide all necessary information to end users (for example how to withdraw consent, duration of the cookies, and other required details)
- easily available on the website